debsecan
Scan Debian packages for security vulnerabilities
TLDR
List vulnerable installed packages on the current host
List vulnerable installed packages of a specific suite
List only fixed vulnerabilities
List only fixed vulnerabilities of unstable ("sid") and mail to root
Upgrade vulnerable installed packages
SYNOPSIS
debsecan [options]
PARAMETERS
--format {format}
Specifies the output format (e.g., plain, json, html). Defaults to plain.
--only-fixed
Only show vulnerabilities for which a fix is available.
--source {source}
Specifies the source list to use.
--cve {CVE_ID}
Filters by the specified CVE ID.
--ignore {file}
Ignore vulnerabilities listed in the specified file.
--severity {severity}
Filter by a minimal severity (e.g. critical, high, medium, low).
--package {package_name}
Filter by a specific package name.
--no-color
Disable colored output.
--help
Display help message.
--version
Show version information.
--exit-code
Returns a non-zero exit code when vulnerabilities are found
DESCRIPTION
debsecan is a command-line tool designed to scan installed Debian packages for security vulnerabilities. It leverages the Debian Security Tracker database to identify packages with known issues and provides a report of potential security problems. The tool aims to help administrators quickly identify and address security risks within their Debian-based systems.
Debsecan works by comparing the installed package versions on the system against the information in the Debian Security Tracker. It reports vulnerabilities based on the version of the packages currently installed. This approach provides a realistic assessment of the system's security posture.
The tool is especially valuable for automated security audits and continuous integration/continuous deployment (CI/CD) pipelines. Administrators can incorporate debsecan into their security routines to ensure that systems are regularly checked for vulnerabilities and that appropriate remediation steps are taken promptly. It is easy to use and requires minimal configuration which makes it accessible to both novice and experienced users.
CAVEATS
Debsecan relies on the Debian Security Tracker database. Its accuracy depends on how up-to-date and complete the information in the database is. False positives or negatives may occur if the database is not fully synchronized with the system's package versions or if vulnerabilities are not yet reported.
EXIT CODES
The exit code of debsecan is 0 if no vulnerabilities are found. If '--exit-code' is provided and vulnerabilities are found, the exit code will be non-zero (typically 1).
CONFIGURATION
debsecan typically requires minimal configuration. However, the location of the Debian Security Tracker data and the list of sources can be configured using command-line options.
HISTORY
debsecan was developed to simplify security auditing on Debian systems. It provides a straightforward method for identifying vulnerabilities, reducing the manual effort required for security checks. The tool has become a popular choice for administrators and security professionals who seek an efficient and reliable way to assess the security of Debian-based systems.